Although the consequences aren’t as dire as it sounds, the Internet ran out of IP addresses (roughly analogous to telephone numbers) last month.

While the Web won’t come crashing down anytime soon, you’re going to be affected by the new numbering scheme — and some details may catch you unawares.

Last October, Fred Langa talked in his LangaList Plus column about the changes under way. Simply put, the Internet has run out of IP addresses under the old IPv4 scheme.

This is no namby-pamby upgrade. The current 32-bit IPv4 scheme can handle just under 4.3 billion different Internet addresses. And we’ve used them up. (That represents an astounding number of networked devices potentially in use.) The new, 128-bit, IPv6 numbering method can accommodate 340 trillion trillion trillion addresses. It’s, ahem, unlikely that we’ll need that many addresses anytime soon.

But IPv6 incorporates much more than added addresses. There’s a complex scheme of layering, protocols, security, and communication enhancements buried in the standard. For the most part, you won’t have to worry about the details. But there are a few areas where you can help — and where you can be taken in. Caveat surfor! (Web-surfer, beware!) Moving to a new format for IP addresses An IP address identifies a specific piece of hardware on a network — one device, one unique IP address. And the Internet has grown into a mighty big network — with far more devices attached to it than anyone could have imagined back in 1977, when IPv4 was invented.

IPv4 addresses are expressed in four groups of numbers between 0 and 255. For example, 74.208.121.252 or 192.168.1.0. No doubt you’ve struggled with them at some point.

The Internet Assigned Numbers Authority (IANA) assigns IPv4 addresses in blocks of 16 million addresses to each of five Regional Internet Registries. There are RIRs for Africa, the U.S. and Canada, Australasia, Latin America, and Europe/Middle East/Central Asia. Each RIR in turn assigns blocks of addresses to Internet Service Providers and other organizations. On Feb. 1, IANA gave out the last blocks of IPv4 addresses to its five RIRs.

That does not mean we’re facing an imminent crisis. It’ll take years for all RIRs to allocate all numbers, and there are tricks that can shuffle numbers around (prompting worries of a possible black market in IP addresses). But the writing’s clearly on the wall — we’re running out of the Internet’s phone numbers.

(IP addresses should not be confused with MAC addresses. IPs are issued to networked devices by the Internet service provider. In most home networks, the IP address is dynamic — it can change when you connect to an ISP. Mac addresses are assigned by the device manufacturer and are essentially a unique, fixed identifier for the device’s network interface — and thus for the device.)

To handle the vast number of computers and other devices now connecting to the Internet, the IANA and ISPs are in the process of rolling out IPv6. The new IPv6 addresses appear as a group of eight numbers, each with four hexadecimal digits, such as:

2001:cdba:9abc:5678:ffff:ffff:face:b00c

Clearly, we aren’t going to wake up one morning to find the Internet working with IPv6. Instead, there will be a period of years — probably many years — where IPv4 and IPv6 need to peacefully coexist.

And that’s where the so-called dual stack comes into play. Testing for dual-stack compatibility Running IPv6 on Windows is a piece of cake: IPv6 has been built into Windows since XP Service Pack 2. If you are using HomeGroup on Windows 7, you already have IPv6 up and working between your homegrouped PCs. Similarly, all modern versions of Linux and Mac OS speak IPv6, as do most smartphone operating systems.

The problem isn’t on your desktop, laptop, or phone. The problem lies in all of the gear between you and your destination. You may or may not be able to get through on an IPv6 connection because your router or your ISP’s equipment can’t handle it. That’s why, for the foreseeable future, most major websites will be running dual stacks, which allow you to get into the site on either an IPv4 or IPv6 connection.

If you’re running only IPv4, you’ll be just fine for the foreseeable future; your equipment speaks IPv4, and the Internet location you’re connected to still speaks IPv4 (and IPv6 with a dual stack).

A problem arises, though, if your router or your ISP’s equipment thinks it can handle IPv6 and really can’t. Your PC tries to connect via IPv6 but something gets lost in the communication. You might experience delays of a minute or more while your PC battles with the site’s IPv6 stack, can’t get through because of intermediary problems, gives up after a while, and finally falls back to IPv4.

For that reason, the international Internet Society (ISOC) is throwing a World IPv6 Day on June 8 — 24 hours for website owners, ISPs, and network users (that’s us) to take an IPv6 test flight. ISOC has arranged for Google, YouTube, Facebook, Yahoo, and a hundred other sites to turn on their IPv6 stacks. Two of the biggest Internet plumbing organizations, Akamai and Limelight Networks, will also enable IPv6 on that day. The idea is to test all the intermediaries — ISPs and other network operators, plus router hardware manufacturers — to see which of them will fall over when dual stacks become commonplace.

“Testing IPv6 is important because recent studies indicate about 0.05% of Internet users (1 in 2,000) can’t reliably connect to websites that enable both IPv4 and IPv6 addresses (known as “dual-stacked” websites). This has resulted in a classic chicken-and-egg puzzle right now: websites don’t want to enable IPv6 because a small number of their users may have trouble connecting.”

As June 8 rolls around, you might want to let your friends and colleagues know that they’re going to be part of a huge test. Have them go to one of the test sites and see whether the connection goes through. If it fails, have them complain — loudly — to their Internet Service Provider.

You don’t have to wait for June 8, though. ISOC has a website set up to perform a one-off test of your current configuration. Go there now, and you’ll receive a report like the one in Figure 1.

Figure 1. ISOC’s test page tells you in advance whether you’re going to have trouble on June 8. Make sure you buy IPv6-capable routers Incredibly, some router manufacturers are peddling goods that aren’t yet IPv6-compatible. If your ISP provided the router you’re using now, you don’t need to worry about it — sooner or later, they’ll have to ensure it runs IPv6 and the swap-out shouldn’t cost you anything. (Not directly, anyway.)

But if you’re buying your own router, be very aware of the fact that most consumer routers don’t run IPv6. Julie Bort at InfoWorld reported that, as of a month ago, none of Cisco’s consumer Linksys routers runs IPv6. For a follow-up story, Cisco stated that “Linksys routers being launched this spring will have IPv6 support” and that the “Linksys E4200 router we launched in January will have an [IPv6] firmware upgrade planned for April.” But there’s still no word about which, if any, of the zillions of legacy Linksys routers will run IPv6.

If you’re thinking about buying a router and want to make sure it’ll run IPv6, you can look on the box to see whether it’s certified by the IPv6 Forum. If you want the full details, though, check whether the router is listed on the American Registry for Internet Numbers (ARIN) Broadband CPE analysis site. Bet you’ll be a little bit surprised — and not pleasantly.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

Forum member royw has been investigating the disappearance of 91 Outlook Express messages from his friend’s inbox and has partly recovered them using Windows Live Mail, but what corrupted the OE message store in the first place? And will the same thing happen to the WLM message store? More»

The following links are this week’s most interesting Lounge threads, including several new questions to which you might be able to provide responses:

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right in to today’s discussions in the Lounge.

The Lounge Life column is a digest of the best of the WS Lounge discussion board. Kathleen Atkins is associate editor of Windows Secrets.

For some people, camaraderie and competition are equivalent workplace pleasures — among the most serious ways to have fun anyone has dreamed up.

It would be hard to beat the playful work of this team in Salt Lake City, who constructed a welcome-home prank to amaze their vacationing colleague on his return to the office. Window-box flowers, anyone? Play the video

“I have been using the Windows 7 firewall and Microsoft Security Essentials and been very happy. However, I discovered today that it fails GRC.com’s LeakTest [site]. Is there a way to adjust the Win7 firewall?”

Yes, Bill. In fact, there are multiple ways.

It can sometimes be useful to know when software on your PC tries to establish an outbound connection. If the connection isn’t one you asked for or involves software that you don’t recognize, it could be that malware is attempting to phone home or otherwise use your connection to transmit information for its own purposes.

That’s what LeakTest checks for: it installs a small, harmless program on your PC that tries to contact the GRC.com servers in a mock phone-home scenario. If your firewall guards against this kind of behavior, it will alert you before allowing the Leaktest program to go online. If your firewall stays silent, then LeakTest shows that malware could phone home from your PC, and you’d never know it.

But frankly, I don’t worry much about phone-home activity. Think about it: if malware has made it onto your machine and is trying to phone home, your PC is already compromised. The real solution to phone-home malware is to avoid infection in the first place. If your PC stays clean, phone-home protection is irrelevant.

Most users of Web-based e-mail services assume that as long as they’re connected to the Internet, they’ll have 24/7 access to their accounts.

But a recent Gmail failure proved otherwise. Here’s how to create backups of all your mail residing in the cloud.

Online e-mail service failures: slow recovery About 30,000 Gmail users lost their e-mail on the last day of February. Not only could they not send and receive messages, they couldn’t access any of the messages they had sent, received, or archived since they put their trust in Google.

Google had backups, but five days after the disaster struck, some people’s e-mail collections were still unrestored.

This very scary incident should work as a wake-up call for anyone who keeps e-mail in the cloud. Whether you’re using Gmail, Hotmail, Yahoo Mail, or something more obscure, if you’re doing mail from a webpage, an error made by someone thousands of miles away could eliminate thousands of precious messages that you chose to save, including vital information from your doctor, your accountant, and your boss.

And because that error would probably rob thousands of other people of their mail, too, you wouldn’t receive careful service, concentrating on you, from the company at fault.

At this year’s Pwn2Own browser-hacking competition, a component of the CanSecWest security conference, clever new exploits took down Internet Explorer 8.

Released just days later, Internet Explorer 9 is immune — and offers additional security enhancements.

Safari and IE 8 the only browsers hacked If you read only that headline from the Pwn2Own 2011 competition, you’d have a skewed view of browser security — especially if you read a little further on that Safari had been cracked in seconds. In reality, it took top security researchers two weeks to build their Safari exploit. And it took another researcher twice as long to build a successful IE 8 exploit.

It was widely reported that Google went unchallenged in the competition. But in truth, none of the competitors took a shot at either Google or Firefox — not because they are unbreakable but because the prize money was not worth the effort.

Pwn2Own does have a silver lining for all of us: it drives browser vendors to push out fixes for vulnerabilities they were in no great hurry to fix.

To successfully crack IE 8, researcher Stephen Fewer needed a variety of exploits, some within the Windows 7 operating system. As noted in an Ars Technica report on the competition, Fewer chained three separate vulnerabilities, one of which bypassed IE’s Protected Mode sandbox. More worrisome, the exploits also bypassed Windows 7’s Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) — the operating system’s two key security technologies.

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by
Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our
free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside
party, ever.
2. We will never send you any unrequested e-mail, besides
newsletter updates.
3. All unsubscribe requests are honored immediately, period.
Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe
from the Windows Secrets Newsletter,

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.